OpenDKIM issues - possible Virtualmin bugs?

4 posts / 0 new
Last post
#1 Thu, 08/07/2014 - 04:49
lewisjenkins

OpenDKIM issues - possible Virtualmin bugs?

I'll try and keep this short and simple :)

/etc/opendkim.conf (as installed by Virtualmin) includes these lines :

Domain /etc/dkim-domains.txt

KeyFile /etc/dkim.key

Selector myselector

SigningTable refile:/etc/dkim-signingtable

KeyTable /etc/dkim-keytable

Virtualmin adds 'Additional domains to sign for' to /etc/dkim-domains.txt. However, the 'Domain' parameter is ignored if a KeyTable is defined (source: http://www.opendkim.org/opendkim.conf.5.html).

ALSO

Outbound emails are being incorrectly signed as follows :

DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=*; s=myselector;

This causes DKIM to be invalid. The correct format should be like this :

DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=mydomain.com; s=myselector;

This appears to be caused by the following line in /etc/dkim-keytable :

default *:myselector:/etc/dkim.key

Which should be like this :

default mydomain.com:myselector:/etc/dkim.key

WORKAROUNDS

Remove these two lines from /etc/opendkim.conf

SigningTable refile:/etc/dkim-signingtable

KeyTable /etc/dkim-keytable

This allows the 'Domain' parameter to work, so you can add manually add your domains as 'Additional domains to sign for' and they will be DKIM-signed correctly.

The problem is that Virtualmin will overwrite opendkim.conf and add the two lines back in, which disables the 'Domain' parameter.

Another workaround is to use a custom key by copying the key from /etc/dkim.key into Virtualmin > mydomain.com > Server Configuration > Domain Key Options, and do this for every domain on the system. This correctly adds a line to /etc/dkim-keytable as follows :

140725103914839 mydomain.com:myselector:/etc/140725103914839.dkim-key

This is the best workaround because it doesn't get overwritten, but it does mean that you must manually add the custom key for every domain on the system.

This appears to be a bug in the currently Virtualmin implementation of OpenDKIM, so can you maybe take a look? Thanks.

Sat, 08/09/2014 - 01:31
Lanna

I noticed this issues and spent DAYS tearing my hair out trying to make it work. I posted here but as yet have not established the consequences of what I did to get it working. . . https://www.virtualmin.com/node/33801

I didn't realise the lines were being written back in by Virtualmin! :(

DKIM is becoming increasingly important implementation for webmasters, it'd be good if we can get to the bottom of this and fix it sooner rather than later.

Sat, 08/09/2014 - 10:05
lewisjenkins

Glad to see somebody reply. I've been checking back here every few hours hoping for a fix myself. I just replied to your other post at https://www.virtualmin.com/node/33801 - hopefully it gives you a workaround until this is fixed in Virtualmin.

Thu, 02/26/2015 - 18:54
lolbrol

Thank you lewisjenkins for the workaround. I was raging, because it didn't work.

Topic locked